During the end of 2023 and into 2024, vulnerabilities in Ivanti’s Policy Secure network access control, Connect Secure secure socket layer virtual private network, and Neurons for zero-trust access products were exploited by a threat actor suspected of being involved in nation-state espionage activity. This raised concerns among organizations worldwide.
Ivanti, headquartered in Utah, specializes in various software solutions including security software, IT service and asset management software, identity management software, and supply chain management software. The company has a long history that dates back to 1985 and has grown through mergers and acquisitions, ultimately rebranding as Ivanti in 2017.
The vulnerabilities identified only affect Ivanti’s Connect Secure, Policy Secure, and ZTA gateways, and do not impact any other products. The first two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, involve an authentication bypass flaw and a command injection vulnerability in the web components of the affected products. These vulnerabilities were discovered by researchers a month before their official disclosure and were being actively exploited by the threat actor to implant web shells on compromised devices.
Further vulnerabilities, CVE-2024-21893, CVE-2024-22024, and CVE-2024-21888, were disclosed following the initial mitigation guidance from Ivanti. These vulnerabilities include a server-side request forgery zero-day vulnerability, an XML vulnerability, and a privilege escalation vulnerability.
SSL VPN products, like Ivanti’s Connect Secure, have been targeted by threat actors in the past, making them vulnerable entry points into organizations. To address these vulnerabilities, Ivanti has been actively working to release patches and mitigation measures. The company has emphasized its commitment to customer support, continuous communication, and proactive measures against evolving threats.
Organizations using affected Ivanti products have been advised to disconnect and isolate them from other enterprise resources, conduct threat hunting, and monitor authentication and identity services. Ivanti has provided detailed guidance on addressing the vulnerabilities, including export and reconfiguration steps, rebuilding the product, and revoking and reissuing certificates and passwords.
It should be noted that a new advisory from US authorities has identified potential issues with Ivanti’s internal and external Integrity Checker Tool (ICT), which may result in compromised systems. Security teams are advised to assume the compromise of user and service account credentials and to follow incident response recommendations.
Given these ongoing developments, it is recommended that security teams carefully evaluate the current guidance and actions taken by Ivanti. While the company has outlined its commitment to customer support, it is not capable of providing full forensic investigation services. Organizations that suspect compromise should seek guidance and support from a forensic provider.
Ultimately, the decision to continue using Ivanti products should be made by security teams based on the available information and ongoing assessment of the situation.
